file-upload vulnerability in data/inc/files.php

Dk0n9 commented 5 years ago

Location: https://github.com/pluck-cms/pluck/blob/master/data/inc/files.php#L40

Code:

<?php
    // ......
    $blockedExtentions = array('.php','php3','php4','php5','php6','php7','phtml');
            if (in_array($lastfour, $blockedExtentions) or in_array($lastfive, $blockedExtentions) ){
                if (!rename('files/'.latinOnlyInput($_FILES['filefile']['name']), 'files/'.latinOnlyInput($_FILES['filefile']['name']).'.txt')){
                    show_error($lang['general']['upload_failed'], 1);
                }
                chmod('files/'.latinOnlyInput($_FILES['filefile']['name']).'.txt', 0775);
            }else{
                chmod('files/'.latinOnlyInput($_FILES['filefile']['name']), 0775);
            }
    // ......
?>

When the uploaded file hits the suffix in $blockedExtentions, the file will be renamed to .{ext}.txt, and missed $blockedExtentions will not be renamed. So you can upload a webshell by overriding the .htaccess file.

Step1. Upload a file .htaccess

File content:

Step2. Upload file phpinfo.txt

File content:

Step3. Request

getshell

Dk0n9 commented 5 years ago

This was assigned CVE-2019-11344.

Credit: dk from Chaitin Tech

BSteelooper commented 5 years ago

pluck-4.7.9-dev2.tar.gz Can you try the latest checkout?

BSteelooper commented 5 years ago

I classified this as an invalid. This is not a security concern. With the password there are easier ways to deface or take-over the website. The inclusion of the .htaccess is a server setting to have this allowed or not. In my setup SetHandler is never allowed from .htaccess and only from the vhost.

BSteelooper commented 5 years ago

Fixed it in this latest release pluck-4.7.9-dev3.tar.gz

pluck-cms / pluck

file-upload vulnerability in data/inc/files.php #72